Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Chummer, here phishey, phishey phisey

budgenator (254554) writes | more than 7 years ago

User Journal 1

The other day I found a phishing spam in my Gmail account's spam folder. While it's getting rare to get a phishing spam and have the phishing site still operating, this one was. So like many of us curiosity got the better of me and I saved the source code for the web page, and wondered how difficult it would be to write a Perl script to send data to the phishing site. Well the answer is with a few module like LWP, HTTP and DBI from cpan it takes about a 120 lines of well formated legible cod

The other day I found a phishing spam in my Gmail account's spam folder. While it's getting rare to get a phishing spam and have the phishing site still operating, this one was. So like many of us curiosity got the better of me and I saved the source code for the web page, and wondered how difficult it would be to write a Perl script to send data to the phishing site. Well the answer is with a few module like LWP, HTTP and DBI from cpan it takes about a 120 lines of well formated legible code, (or 20 as the camel walks). Using a database I already had the little script takes random first and last names, addresses, randomly generated SSNs, passwords, Mother's maiden name etc. and sends it to any website I want it to, even my own!

I named my little script chummer, after the guy who throws fish guts off the boat to attract predators to the people who hold the fishing poles; then it occurred to me that chum was also pretty good at attracting bugs. So now the big question is, If I fall prey the the highly satisfying urge to fill phishing sites up with a couple gigabytes of well formed but bad data using my little test script, Am I breaking the law; and if I am is anyone likely to care?

Does anyone thing I should generalize the program to be more analytical and possibly configure itself to send data to send data to any web application maybe using XML configuration files as part of a general purpose web application testing suite?

cancel ×

1 comment

Sorry! There are no comments related to the filter you selected.

An interesting approach. (1)

jd (1658) | more than 7 years ago | (#16162129)

It would reduce the value of phishing, as the ratio of valid to false data would worsen. Would it be a crime? Well, it's illegal to falsely identify yourself as someone else for the purpose of defrauding them, but it's not so clear-cut when the information is totally bogus (ie: you are not representing yourself as someone else, as there is no "someone else" for you to be represented as) and where you are not defrauding someone (phishers are generally not selling anything, rather it is simply a free "validation check" - if you're not authorizing a transaction, then how can it be defrauding them?)


There are libraries and Perl modules that - IIRC - check that such a form is "correct", in that some hash or checksum is valid. I seem to recall seeing code to actually generate the important values from form data. It should be possible, then, to ensure that Chummer generates forms that would pass any superficial inspection by the phishers. The only way the phisher's scripts could validate the data further would be to attempt a transaction at the time, which is unlikely. Many phishers appear to be harvesters of information who then sell it on. Very few phishers are caught, and my guess is that this is because their income is from buyers and not from the information itself. Anything that might kill the value of the data would kill the profits.


Having as many people run the program as possible would obviously be good, although such tactics have often resulted in DDoS attacks against those who distribute such software. HOWEVER, if the software were distributed via Usenet in addition to any other channels, it would be unblockable. Usenet may not be fashionable, but it is utterly invulnerable to DDoS attacks, no matter how big, and is equally invulnerable to any other attacks on infrastructure or servers, and is largely free from risk of reprisals as it can be totally anonymous.


However, if phishers suddenly started providing large volumes of bogus data, my guess is that the sale value would drop. At best, from the phisher's standpoint. At worst, the sorts of people who go buying databases of credit card numbers would also be the sort of people who would get their money back - not so much with extreme prejudice as with extreme pain and maybe the odd Aztec sun-worship ritual or two.


This does raise an important ethical question, when it comes to phishing elimination - if the worst-case scenario were indeed to happen, could this be damaging to the environment?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>